The commercial implications of PCI

Ultimately there is no escape from PCI. Whether you are a sophisticated multinational retailer or a small business that accepts card payments – online or offline, it is widely expected that much more rigorous enforcement will be commonplace from 2012.

Technologies and strategies for dealing with PCI are still catching up, although technology firms are ramping up research and development investment to provide better services and tools to cope with demands. PCI is here to stay, and it will become increasingly pervasive as time goes on.

Because higher transactional processing costs are now routine for many noncompliant merchants, some have done the sums and realised that the cost of compliance is lower than the overall financial implications of non-compliance. With this commercial imperative now clear, a number of companies are accelerating their PCI programmes and arguably those who achieve compliance earliest could even achieve a competitive advantage through their reduced cost base in the long term.

Since PCI covers your entire trading environment, all third-party partners that store, process or transmit cardholder data must also comply before you can achieve full compliance. Such third parties include:

As an example, for those merchants that do not interact directly with an acquiring bank, but instead use a third-party payment gateway (such as WorldPay or PayPal) the implications are both technical and commercial. That payment gateway is also required to meet PCI standards though not all have become compliant with the same speed. For you to be compliant as a merchant, you would need evidence that your payment provider’s standards meet the requirements of your own certification.

Using such a payment gateway theoretically reduces your exposure - after all, such providers are experts in securely managing such transactions - but each provider has a different cost model for dealing with PCI and this aspect of compliance has yet to reach equilibrium. What’s more, some payment services providers are now starting to refuse to take on merchants who are not already well down the road to PCI compliance themselves, so using a payment provider does not take your organisation out of scope. The PCI community’s focus is currently on volume - i.e. preventing hundreds of cardholder details being stolen. There have been a number of high-profile cases where business operations have been seriously affected by loss of cardholder data. For example, the cosmetics firm Lush had to close its UK web site in January 2011, in response to a sustained hacking attack over a three-month period which left users’ details vulnerable to credit card fraud.